No thank you for the music: The ticket bots stopping you from going to gigs

Want to see One Direction in concert? You might have to fight for tickets with some bots (Picture: Getty)

Beliebers, festival-goers and fans of Michelin-starred cuisine are all falling victim to an emerging type of computer programme.

This weekend, thousands of music fans will attend Reading Festival. For many, obtaining tickets will have involved spending hours in front of a screen, frantically hoping that the next click would be the click to success.

Advances in technology have changed the way we purchase concert tickets, make restaurant reservations or book hotel rooms, but recently, these advances have been used to give certain parties an unfair advantage, helping them snap up tickets to concerts they’ve no interest in attending or making reservations at restaurants they’ve never heard of.

Enter the bot, a computer programme which automates the process that a human would go through when purchasing tickets or making reservations.

Networks of bots – botnets – are used by cybercriminals to send spam messages and spread viruses, but the humble bot alone has now spread to entertainment.

There have been an increasing number of cases where bots have been used by ticket touts to automatically purchase huge numbers of concert tickets, make restaurant reservations or book hotel rooms the moment they become available. The result: the ordinary punter misses out altogether or gets ripped off when they see the tickets turn up on another site seconds later at ten times the original price.

‘As a music fan and gig-goer I find them devious and frustrating, and as someone who works in the music industry I find them dangerous,’ said Keith Marnoch, label manager at Essential Music and Marketing in London. ‘They skew the amount promoters feel they can charge for concert tickets and it means that only the wealthy can afford to go. It also means that the people who profit the most from shows are those who contribute nothing to the experience.’

Worryingly, making a bot is relatively easy. ‘Creating a bot isn’t difficult,’ said Professor John Aycock, from the computer science department at the University of Calgary in Canada.

‘More sophisticated bots take more effort and skill, but the bots used for illegal purposes can be rented on the black market. In that sense, even unskilled miscreants can have access to lots of computing firepower.’

One organisation to suffer is Ticketmaster. Last year it admitted that nine out of of ten hits on its US website come from bots on its busiest days. Bots are causing problems on this side of the pond, too.

Take Westlife’s farewell tour, which took place last year. Tickets sold out in minutes and an investigation discovered that about 150 tickets were purchased using a small number of credit cards registered to addresses in the Milton Keynes area. The tickets were bought within seconds of each other and were in the same area. Ticket fraud experts Iridium Consultancy, which carried out the investigation, said it was ‘virtually impossible’ to obtain sequential seats by manually typing in details to buy tickets.

So what is being done to prevent these bots – which can be bought online – and how easy are they to detect?

‘Bots present very difficult problems, so this is an arms race between companies like us and the individuals who create bots,’ said Ticketmaster in a statement. ‘These people are continually innovating and refining bots to make them harder to identify. We invest millions of pounds in technology to differentiate real fans and have a series of automatic checks in place, including reCAPTCHA and IP address monitoring.’

CAPTCHA (or Completely Automated Public Turing test to tell Computers and Humans Apart) is the mix of hard-to-read words and numbers designed to ensure those buying tickets are real people – reCAPTCHA is its upgrade which does the same task, yet also digitises books one typed word at a time.

But telling the difference between a human and a computer isn’t easy. ‘It’s hard to remotely determine if your software is interacting with a human or a bot,’ said Professor William Robertson, a cybersecurity specialist at Boston’s Northeastern University. ‘The most popular approach is to use CAPTCHAs – a small task to be completed prior to a sensitive operation that, in theory, should be easy for a human to do, but difficult for software to automate.

‘The classic example is displaying an image containing garbled characters along with a web form, where it should be relatively easy for a person to recognise the letters. However, advances in automated signal processing have made these less effective, which is one reason why CAPTCHAs have increased in difficulty to the point where they’re hard for humans to read too.’

The problems with reCAPTCHA mean it has already been ditched by Ticketmaster’s US site, where a new verification system, Type-In, devised by Solve Media, is now used. Its words are more eligible and it also permits advertising. However, reCAPTCHA is still in use on Ticketmaster.co.uk, which says it is monitoring the progress of Type-In before confirming its plans.

Other methods focus on the different behavioural habits of humans and computers. ‘Another approach would be to use anomaly detection – using automated techniques to recognise the differences in behaviour between normal users and bots,’ said Prof Robertson. ‘An example of this would be to observe that a human might spend a few minutes on each web page displayed during checkout processes before proceeding, while a bot might move much more quickly through each page.

‘However, bot authors can also react to improvements in the detection of algorithms used by organisations such as Ticketmaster by adjusting the bots to act more like people, for instance, by pausing at each page in a way that mimics human behaviour. Because a site like Ticketmaster probably wants to avoid aggressively blocking users suspected of malicious behaviour – since that could impact their revenue – the authors can progressively mutate the behaviour of their bots to respond to improvements in detection techniques and bypass Ticketmaster’s defences.’

The war on bots looks set to continue.

‘There currently aren’t any foolproof technical solutions for detecting bots,’ said Jason Hong, associate professor in computer science at Pittsburgh’s Carnegie Mellon University, where CAPTCHA and reCAPTCHA were developed.

‘It’s going to take a combination of technical, legal and market solutions to change the situation. As long as it’s profitable for people to create bots and resell tickets, then people will keep trying to do it.’

Bots have many victims: ticketing agencies, music fans who are forced to pay over the odds for tickets, the owners of restaurants who find the majority of their tables are booked as soon as they become available – often by guests who fail to appear.

Because of bots, many of those attending Reading this weekend will have found it harder than ever to obtain tickets through official sources.

‘Getting tickets for these sorts of events is hard enough without touts having an unfair advantage,’ said Nicholas Bone, a music lover and regular gig-goer from Hampshire. ‘To get tickets for popular events you have to spend hours on the phone and online, constantly redialling and clicking “refresh”.

‘It’s definitely harder to get tickets for gigs as live music events have grown more popular. Bots – and the touts which use them – only make the problem worse.’